Millal ja kuidas vastata andmesubjektide päringutele?
Isikuandmete kaitse üldmäärus (GDPR) näeb ette 8 põhiõigust andmesubjektidele. Kliendid, töötajad, tarnijad ja teised isikud saavad antud põhiõiguste kaudu teostada enda õigusi ja esitada päringud, muuhulgas andmetega tutvumiseks, parandamiseks, kustutamiseks ja ülekandmiseks.
Loe rohkem andmesubjektide õigustest ning tutvu meie soovitustega, millal ja kuidas nõuetekohaselt päringutele vastata.
Käesoleval lehel avaldatud info ja materjal omavad teavitamise eesmärki. Veebilehel esitatut ei tohi võtta õigusabi andmisena või konkreetse juhtumi või olukorra nõustamisena. Veebilehe sirvimine ja avaldatud informatsiooni tarbimine, uudiskirjaga liitumine või meile päringu saatmine ei loo advokaadi-kliendi suhet. Õigusabi saamiseks on vaja sõlmida eraldi kokkulepe ja õigusabi andmine toimub individuaalselt. Loe lähemalt meie kasutustingimustest.
© Kõik õigused kuuluvad CORE Legal Advokaadibüroole 2020
What data you shall provide?
Privacy notice in a accessible form (via webpage).
The controller shall take appropriate measures to provide any information relating to processing to the data subject in a
There are a few circumstances when you do not need to provide people with privacy information, such as if:
You must regularly review, and where necessary, update your privacy information.
If you plan to use personal data for a new purpose, you shall Update your privacy information and communicate the changes to individuals before starting any new processing,
The individuals have the right to
access and receive a copy of their
personal data, and other
supplementary information.
What information you have to provide:
Individuals can make SARs
verbally or in writing, including via social media.
If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
A third party can also make a
SAR on behalf of another person.
When requested by the data
subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
If you process a large amount of information about an individual, you may be able to ask them to specify the information or processing activities their request relates to, if it is not clear.
You should perform a reasonable search for the requested information.
You should provide the information in an accessible,
concise and intelligible format. The information should be disclosed securely.
Without delay and within one month of receipt of the request.
Where an exemption applies, you may refuse to provide all or some of the requested information, depending on the circumstances.
The example of exemptions: crime and taxation: risk assessment, legal professional privilege (advocates); journalism, academia, art and literature
You can also refuse to comply with a SAR if it is:
If you refuse to comply with a request, you must inform the individual of:
Make a policy for how to record request you receive (verbally or in written).
Understand what steps you need to take to verify the identity of requester.
You need to be satisfied that you know the identity of the requester (or the person the request is made on behalf of). If you are unsure, you can ask for information to verify an individual’s identity. The timescale for responding to a SAR does not begin until you have received the requested information. However, you should request ID documents promptly.
If an individual asks, you can provide a verbal response to their SAR, provided that you have confirmed their identity by other means. You should keep a record of the date they made the request, the date you responded, details of who provided the information and what information you provided.
As the controller of the information you are responsible for taking all reasonable steps to ensure its security.
You shall have suitable information management in place to allow you to locate and retrieve information efficiently.
The right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
If you receive a request for
rectification you should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary.
You should take into account the arguments and evidence provided by the data subject.
Without delay and within one month of receipt of the request.
If an exemption applies, you can refuse to comply with an objection (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request.
You can also refuse to comply with a request if it is:
Understand what steps you need to take to verify the identity of requester.
You may also take into account any steps you have already taken to verify the accuracy of the data prior to the challenge by the data subject.
It is a good practice to place a note on your system indicating that the individual challenges the accuracy of the data and their reasons for doing so.
Determining whether personal data is inaccurate can be more complex if the data refers to a mistake that has subsequently been resolved. It may be possible to argue that the record of the mistake is, in itself, accurate and should be kept.
In such circumstances the fact that a mistake was made and the correct information should also be included in the individuals data.
As a matter of good practice, you should restrict the processing of the personal data in question whilst you are verifying its accuracy, whether or not the individual has exercised their right to restriction.
The right is not absolute and only applies in certain circumstances.
Individuals have the right to have their personal data erased if:
If a valid erasure request is received and no exemption applies then you will have to take steps to ensure erasure from backup systems as well as live systems.
Those steps will depend on your particular circumstances, your retention schedule (particularly in the context of its backups), and the technical mechanisms that are available to you
It may be that the erasure request can be instantly fulfilled in respect of live systems, but that the data will remain within the backup environment for a certain period of time until it is overwritten.
Without delay and within one month of receipt of the request.
If an exemption applies, you can refuse to comply with a request for erasure (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request.
You can also refuse to comply with a request if it is:
Understand what steps you need to take to verify the identity of requester.
If you have disclosed the personal data to others, you must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.
Individuals have the right to request the restriction or suppression of their personal data. This means that an individual can limit the way that an organisation uses their data.
When processing is restricted, you are permitted to store the personal data, but not use it.
There are a number of different methods that could be used to restrict data, such as:
If an exemption applies, you can refuse to comply with a request for restriction (wholly or partly).
You can also refuse to comply with a request if it is:
You need to have processes in place that enable you to restrict personal data if required.
Understand what steps you need to take to verify the identity of requester.
If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the restriction of the personal data – unless this proves impossible or involves disproportionate effort.
Information is only within the scope of the right to data portability if it is personal data of the individual that they have provided to you.
The right to data portability only applies when:
The right to data portability entitles an individual to:
You can achieve data portability by either:
You should provide the personal data in a format that is:
Where no specific format is in common use within your industry or sector, you should provide personal data using open formats such as CSV, XML and JSON. You may also find that these formats are the easiest for you to use when answering data portability requests.
If an exemption applies, you can refuse to comply with a request for data portability (wholly or partly)
You can also refuse to comply with a request if it is:
Where you have received an objection to the processing of personal data and you have no grounds to refuse, you need to stop or not begin processing the data.
This may mean that you need to erase personal data as the definition of processing under the GDPR is broad, and includes storing data. However, as noted above, this will not always be the most appropriate action to take.
Without delay and within one month of receipt of the request.
If an exemption applies, you can refuse to comply with an objection (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request.
You can also refuse to comply with a request if it is:
Understand what steps you need to take to verify the identity of requester.
It is good practice to have a policy for recording details of the objections you receive, particularly those made by telephone or in person.
GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.
The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects. If your processing does not match this definition then you can continue to carry out profiling and automated decision-making.
You can only carry out this type of decision-making where the decision is:
You shall:
Because this type of processing is considered to be high-risk the GDPR requires you to carry out a Data Protection Impact Assessment (DPIA) to show that you have identified and assessed what those risks are and how you will address them.
You must: